Intel
The attack is dangerous only in the context of manipulations with calculations in the SGX enclaves, since it requires the presence of root rights in the system to carry out. In the simplest case, an attacker can achieve distortion of the information processed in the enclave, but in more complex scenarios, the possibility of recreating the private keys stored in the enclave used for encryption using the RSA-CRT and AES-NI algorithms is not ruled out. The technique can also be used to generate errors in initially correct algorithms to provoke memory vulnerabilities, for example, to organize access to an area outside the allocated buffer.
Prototype code for the attack
The essence of the method is to create conditions for the occurrence of unexpected data distortions during calculations in SGX, from which the use of encryption and memory authentication in the enclave does not protect. To introduce distortion, it turned out that it was possible to use standard software interfaces for frequency and voltage control, usually used to reduce power consumption during system downtime and activate maximum performance during intensive work. Frequency and voltage characteristics cover the entire chip, including the impact of performing calculations in an isolated enclave.
By changing the voltage, it is possible to achieve conditions under which the charge is not enough to regenerate the memory cell inside the CPU, and its value changes. The key difference from attack
If this modified value is used in the multiplication process in the encryption process, then the output is rejected with an invalid ciphertext. Having the ability to access the handler in SGX to encrypt their data, an attacker can accumulate statistics about the change in the output ciphertext and, in a few minutes, restore the value of the key stored in the enclave, causing failures. The original text at the input and the correct ciphertext at the output are known, the key does not change, and the output of an incorrect ciphertext indicates a distortion of some bit to the opposite value.
After analyzing the pairs of values ββof the correct and distorted ciphertexts accumulated during different failures, using the methods of differential failure analysis (DFA,
Various models of Intel processors are affected, including Intel Core 6 CPUs.
through the 10th generation, as well as the fifth and sixth generations of Xeon E3, the first and second generations of Intel Xeon Scalable, Xeon D,
Xeon W and Xeon E.
Recall that the SGX technology (
Source: opennet.ru